WASHINGTON -- As the nature and scope of security threats has changed dramatically over the last few years, enterprise security professionals have struggled to keep up. But they're not alone. The folks at Google Inc. also have had their share of challenges in adjusting to the new state of security on the Web.
Even though Google sprang from the Internet culture that now dominates the corporate computing environment, the company is constantly working to understand the nature of the threats online and how they affect the company's customers and the broader Internet community, Scott Petry, Google's director of enterprise security and compliance said during a keynote speech at the Gartner IT Security Summit here Monday. Sure, Google has helped define and shape the way people work online, but that doesn't mean the company is immune to the complexities that online computing can introduce.
"It turns out that it's a very black-box world," Petry said. "We need to change our thinking to a security mentality that recognizes that the world is a black box and we don't know what some of the threats are and that we need to be able to respond to changes and threats as they happen. We don't know what we don't know. There's no way we can define a white box around all of the Google applications."
One way that Google, of Mountain View, Calif., is working to get a handle on this environment is by monitoring the ways in which people use Google Apps, the company's online application offerings, which include word processing, a spreadsheet application and a presentation application, similar to PowerPoint. The applications host all of the users' data online and enable users to share documents with virtually anyone, inside or outside their organizations. But because the applications exist online, they are subject to any number of known and unknown application-level attacks and Web threats, making security a thornier problem than usual.
The lessons the company has learned throughout the process are ones that can be applied in just about any organization. For example, Google's goal in securing Google Apps, as well as its own internal applications, is to enable people to do what they want to do, not prevent them from doing it. Mechanisms such as warnings for users who are trying to visit a known malicious website and a password-management tool are meant to make it easier for users to use the Web more securely without a lot of interference.
"Google doesn't want to be the company telling people what to do and what hot to do," Petry said. "We put a disproportionate amount of energy into helping users use the Internet safely. "How do we create a safe experience for users? Our business is built on the quality of our results."
Petry encouraged IT security specialists to look at the ways in which they secure their own organizations and see how they can provide a more open and satisfying experience for users, while still emphasizing security.